need advice on root kit hunter log file results opensuse 13.1
by sirius57 from LinuxQuestions.org on (#53G47)
I have to repair grub2 using the install dvd by issuing the following commands using the install dvd to boot into repair mode:
mount /dev/sda2 /mnt
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mkdir /mnt/mounts
mount --rbind /mounts /mnt/mounts
chroot /mnt
grub2-install /dev/sda
exit
reboot
I also ran e2fsk on the drive.
I do not have to repair grub2 after a system reboot, just on a power up. I ran root kit hunter and it found 3 suspect files. These are script files and I am not sure if they are false positives. I am pasting my log files to this post. The first time it ran there were 3 suspect files reported, second time it ran it reports all good. The two log files are posted one log file after the other. The suspect files are:
/sbin/ifup
/usr/bin/ldd
usr/bin/chkconfig
I had to edit out the bulk of the reports so I could post it. The warnings are in the report.
Thank you for your time.
[12:11:12] Running Rootkit Hunter version 1.4.0 on linux-693r
[12:11:12]
[12:11:12] Info: Start date is Thu May 14 12:11:12 EDT 2020
[12:11:12]
[12:11:12] Checking configuration file and command-line options...
[12:11:12] Info: Detected operating system is 'Linux'
[12:11:12] Info: Uname output is 'Linux linux-693r 3.11.6-4-desktop #1 SMP PREEMPT Wed Oct 30 18:04:56 UTC 2013 (e6d4a27) x86_64 x86_64 x86_64 GNU/Linux'
[12:11:13] Info: Command line is /usr/bin/rkhunter --check
[12:11:13] Info: Environment shell is /bin/bash; rkhunter is using bash
[12:11:13] Info: Using configuration file '/etc/rkhunter.conf'
[12:11:13] Info: Installation directory is '/usr'
[12:11:13] Info: Using language 'en'
[12:11:13] Info: Using '/var/lib/rkhunter/db' as the database directory
[12:11:13] Info: Using '/usr/lib64/rkhunter/scripts' as the support script directory
[12:11:13] Info: Using '/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin' as the command directories
[12:11:13] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[12:11:13] Info: No mail-on-warning address configured
[12:11:13] Info: X will be automatically detected
[12:11:13] Info: Found the 'basename' command: /usr/bin/basename
[12:11:13] Info: Found the 'diff' command: /usr/bin/diff
[12:11:13] Info: Found the 'dirname' command: /usr/bin/dirname
[12:11:13] Info: Found the 'file' command: /usr/bin/file
[12:11:13] Info: Found the 'find' command: /usr/bin/find
[12:11:13] Info: Found the 'ifconfig' command: /sbin/ifconfig
[12:11:13] Info: Found the 'ip' command: /bin/ip
[12:11:13] Info: Found the 'ldd' command: /usr/bin/ldd
[12:11:13] Info: Found the 'lsattr' command: /usr/bin/lsattr
[12:11:13] Info: Found the 'lsmod' command: /bin/lsmod
[12:11:13] Info: Found the 'lsof' command: /usr/bin/lsof
[12:11:13] Info: Found the 'mktemp' command: /usr/bin/mktemp
[12:11:13] Info: Found the 'netstat' command: /bin/netstat
[12:11:13] Info: Found the 'perl' command: /usr/bin/perl
[12:11:13] Info: Found the 'pgrep' command: /usr/bin/pgrep
[12:11:13] Info: Found the 'ps' command: /usr/bin/ps
[12:11:13] Info: Found the 'pwd' command: /usr/bin/pwd
[12:11:13] Info: Found the 'readlink' command: /usr/bin/readlink
[12:11:13] Info: Found the 'stat' command: /usr/bin/stat
[12:11:14] Info: Found the 'strings' command: /usr/bin/strings
[12:11:14] Info: System is not using prelinking
[12:11:14] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[12:11:14] Info: The hash function field index is set to 1
[12:11:14] Info: Using package manager 'RPM' for file property checks
[12:11:14] Info: Found the 'rpm' command: /bin/rpm
[12:11:14] Info: Previous file attributes were stored
[12:11:14] Info: Enabled tests are: all
[12:11:14] Info: Disabled tests are: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
[12:11:14] Info: Including user files for file properties check:
[12:11:14] /etc/rkhunter.conf
[12:11:14] Info: Found ksym file '/proc/kallsyms'
[12:11:14] Info: Using 'date' to process epoch second times.
[12:11:14] Info: Locking is not being used
[12:11:14]
[12:11:14] Starting system checks...
[12:11:14]
[12:11:14] Info: Starting test name 'system_commands'
[12:11:14] Checking system commands...
[12:11:14]
[12:11:14] Info: Starting test name 'strings'
[12:11:14] Performing 'strings' command checks
[12:11:14] Scanning for string /usr/sbin/ntpsx [ OK ]
[12:11:14] Scanning for string /usr/sbin/.../bkit-ava [ OK ]
[12:11:14] Scanning for string /usr/sbin/.../bkit-d [ OK ]
[12:11:15] Scanning for string /usr/sbin/.../bkit-shd [ OK ]
[12:11:15] Scanning for string /usr/sbin/.../bkit-f [ OK ]
[12:11:15] Scanning for string /usr/include/.../proc.h [ OK ]
[12:11:15] Scanning for string /usr/include/.../.bash_history [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-get [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-dl [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-screen [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-sleep [ OK ]
[12:11:15] Scanning for string /usr/lib/.../bkit-adore.o [ OK ]
[12:11:15] Scanning for string /usr/lib/.../ls [ OK ]
[12:11:15] Scanning for string /usr/lib/.../netstat [ OK ]
[12:11:15] Scanning for string /usr/lib/.../lsof [ OK ]
[12:11:15] Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[12:11:45] /sbin/fsck [ OK ]
[12:11:45] /sbin/ifconfig [ OK ]
[12:11:45] /sbin/ifdown [ OK ]
[12:11:45] /sbin/ifstatus [ OK ]
[12:11:45] /sbin/ifup [ Warning ]
[12:11:45] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII text executable
[12:11:45] /sbin/init [ OK ]
[12:11:46] /sbin/insmod [ OK ]
[13:40:37] Info: Starting test name 'system_configs'
[13:40:37] Performing system configuration file checks
[13:40:37] Checking for SSH configuration file [ Found ]
[13:40:37] Info: Found SSH configuration file: /etc/ssh/sshd_config
[13:40:38] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
[13:40:38] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[13:40:38] Checking if SSH root access is allowed [ Warning ]
[13:40:38] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[13:40:38] Checking if SSH protocol v1 is allowed [ Warning ]
[13:40:38] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[13:40:38] Checking for running syslog daemon [ Found ]
[13:40:38] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[13:40:38] Checking for syslog configuration file [ Found ]
[13:40:38] Checking if syslog remote logging is allowed [ Not allowed ]
[13:40:38]
[13:40:38] Info: Starting test name 'filesystem'
[13:40:38] Performing filesystem checks
[13:40:38] Info: SCAN_MODE_DEV set to 'THOROUGH'
[13:40:39] Info: Found file '/dev/.sysconfig/network/ifup-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/if-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/config-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/started': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/new-stamp-2': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-2445994891': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-2167102362': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-1026961346': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-3381024706': it is whitelisted.
[13:40:39] Checking /dev for suspicious file types [ Warning ]
[13:40:39] Warning: Suspicious file types found in /dev:
[13:40:39] /dev/.sysconfig/network/if-enp5s0: ASCII text
[13:40:39] /dev/.sysconfig/network/ifup-enp5s0: ASCII text
[13:40:39] /dev/.sysconfig/network/config-enp5s0: ASCII text
[13:40:40] Info: Found hidden directory '/dev/.sysconfig': it is whitelisted.
[13:40:40] Checking for hidden files and directories [ Warning ]
[13:40:40] Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev'
[13:40:53]
[13:40:53] Info: Starting test name 'apps'
[13:40:53] Checking application versions...
[13:40:54] Info: Application 'exim' not found.
[13:40:54] Checking version of GnuPG [ OK ]
[13:40:54] Info: Application 'gpg' version '2.0.22' found.
[13:40:54] Info: Application 'httpd' not found.
[13:40:54] Info: Application 'named' not found.
[13:40:54] Checking version of OpenSSL [ OK ]
[13:40:54] Info: Application 'openssl' version '1.0.1e' found.
[13:40:54] Info: Application 'php' not found.
[13:40:54] Checking version of Procmail MTA [ OK ]
[13:40:54] Info: Application 'procmail' version '3.22' found.
[13:40:54] Info: Application 'proftpd' not found.
[13:40:54] Checking version of OpenSSH [ OK ]
[13:40:54] Info: Application 'sshd' version '6.2,' found.
[13:40:55] Info: Applications checked: 4 out of 9
[13:40:55]
[13:40:55] System checks summary
[13:40:55] =====================
[13:40:55]
[13:40:55] File properties checks...
[13:40:55] Required commands check failed
[13:40:55] Files checked: 181
[13:40:55] Suspect files: 3
[13:40:55]
[13:40:55] Rootkit checks...
[13:40:55] Rootkits checked : 306
[13:40:55] Possible rootkits: 0
[13:40:55]
[13:40:55] Applications checks...
[13:40:55] Applications checked: 4
[13:40:55] Suspect applications: 0
[13:40:55]
[13:40:55] The system checks took: 2 minutes and 55 seconds
[13:40:56]
[13:40:56] Info: End date is Thu May 14 13:40:55 EDT 2020
Next run of rootkit test check...........
[19:20:16]
[19:20:16] Performing checks on the network ports
[19:20:16] Info: Starting test name 'ports'
[19:20:16] Performing check for backdoor ports
[19:20:17] Checking for TCP port 1524 [ Not found ]
[19:20:17] Checking for TCP port 1984 [ Not found ]
[19:20:17] Checking for UDP port 2001 [ Not found ]
[19:20:17] Checking for TCP port 2006 [ Not found ]
[19:20:17] Checking for TCP port 2128 [ Not found ]
[19:20:18] Checking for TCP port 6666 [ Not found ]
[19:20:18] Checking for TCP port 6667 [ Not found ]
[19:20:18] Checking for TCP port 6668 [ Not found ]
[19:20:18] Checking for TCP port 6669 [ Not found ]
[19:20:18] Checking for TCP port 7000 [ Not found ]
[19:20:19] Checking for TCP port 13000 [ Not found ]
[19:20:19] Checking for TCP port 14856 [ Not found ]
[19:20:19] Checking for TCP port 25000 [ Not found ]
[19:20:19] Checking for TCP port 29812 [ Not found ]
[19:20:19] Checking for TCP port 31337 [ Not found ]
[19:20:20] Checking for TCP port 32982 [ Not found ]
[19:20:20] Checking for TCP port 33369 [ Not found ]
[19:20:20] Checking for TCP port 47107 [ Not found ]
[19:20:20] Checking for TCP port 47018 [ Not found ]
[19:20:20] Checking for TCP port 60922 [ Not found ]
[19:20:21] Checking for TCP port 62883 [ Not found ]
[19:20:21] Checking for TCP port 65535 [ Not found ]
[19:20:21] Checking for backdoor ports [ None found ]
[19:20:21]
[19:20:21] Info: Test 'hidden_ports' disabled at users request.
[19:20:21]
[19:20:21] Performing checks on the network interfaces
[19:20:21] Info: Starting test name 'promisc'
[19:20:21] Checking for promiscuous interfaces [ None found ]
[19:20:21]
[19:20:21] Info: Test 'packet_cap_apps' disabled at users request.
[19:20:21]
[19:20:21] Info: Starting test name 'local_host'
[19:20:21] Checking the local host...
[19:20:22]
[19:20:22] Info: Starting test name 'startup_files'
[19:20:22] Performing system boot checks
[19:20:22] Checking for local host name [ Found ]
[19:20:22]
[19:20:22] Info: Starting test name 'startup_malware'
[19:20:22] Checking for system startup files [ Found ]
[19:20:25] Checking system startup files for malware [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'group_accounts'
[19:20:25] Performing group and account checks
[19:20:25] Checking for passwd file [ Found ]
[19:20:25] Info: Found password file: /etc/passwd
[19:20:25] Checking for root equivalent (UID 0) accounts [ None found ]
[19:20:25] Info: Found shadow file: /etc/shadow
[19:20:25] Checking for passwordless accounts [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'passwd_changes'
[19:20:25] Checking for passwd file changes [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'group_changes'
[19:20:25] Checking for group file changes [ None found ]
[19:20:26] Checking root account shell history files [ OK ]
[19:20:26]
[19:20:26] Info: Starting test name 'system_configs'
[19:20:26] Performing system configuration file checks
[19:20:26] Checking for SSH configuration file [ Found ]
[19:20:26] Info: Found SSH configuration file: /etc/ssh/sshd_config
[19:20:26] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
[19:20:26] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[19:20:26] Checking if SSH root access is allowed [ Warning ]
[19:20:26] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[19:20:26] Checking if SSH protocol v1 is allowed [ Warning ]
[19:20:26] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[19:20:26] Checking for running syslog daemon [ Found ]
[19:20:26] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[19:20:27] Checking for syslog configuration file [ Found ]
[19:20:27] Checking if syslog remote logging is allowed [ Not allowed ]
[19:20:27]
[19:20:27] Info: Starting test name 'filesystem'
[19:20:27] Performing filesystem checks
[19:20:27] Info: SCAN_MODE_DEV set to 'THOROUGH'
[19:20:27] Info: Found file '/dev/.sysconfig/network/ifup-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/if-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/config-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/started': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/new-stamp-2': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-945268521': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-3889263875': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-1133244443': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-779620220': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-2167102362': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-1026961346': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-3381024706': it is whitelisted.
[19:20:28] Checking /dev for suspicious file types [ Warning ]
[19:20:28] Warning: Suspicious file types found in /dev:
[19:20:28] /dev/.sysconfig/network/if-enp5s0: ASCII text
[19:20:28] /dev/.sysconfig/network/ifup-enp5s0: ASCII text
[19:20:28] /dev/.sysconfig/network/config-enp5s0: ASCII text
[19:20:29] Info: Found hidden directory '/dev/.sysconfig': it is whitelisted.
[19:20:29] Checking for hidden files and directories [ Warning ]
[19:20:29] Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev'
[19:20:29]
[19:20:29] Info: Starting test name 'apps'
[19:20:29] Checking application versions...
[19:20:30] Info: Application 'exim' not found.
[19:20:30] Checking version of GnuPG [ OK ]
[19:20:30] Info: Application 'gpg' version '2.0.22' found.
[19:20:30] Info: Application 'httpd' not found.
[19:20:30] Info: Application 'named' not found.
[19:20:30] Checking version of OpenSSL [ OK ]
[19:20:30] Info: Application 'openssl' version '1.0.1e' found.
[19:20:30] Info: Application 'php' not found.
[19:20:30] Checking version of Procmail MTA [ OK ]
[19:20:30] Info: Application 'procmail' version '3.22' found.
[19:20:31] Info: Application 'proftpd' not found.
[19:20:31] Checking version of OpenSSH [ OK ]
[19:20:31] Info: Application 'sshd' version '6.2,' found.
[19:20:31] Info: Applications checked: 4 out of 9
[19:20:31]
[19:20:31] System checks summary
[19:20:31] =====================
[19:20:31]
[19:20:31] File properties checks...
[19:20:31] Files checked: 181
[19:20:31] Suspect files: 0
[19:20:31]
[19:20:31] Rootkit checks...
[19:20:31] Rootkits checked : 306
[19:20:31] Possible rootkits: 0
[19:20:31]
[19:20:31] Applications checks...
[19:20:31] Applications checked: 4
[19:20:31] Suspect applications: 0
[19:20:31]
[19:20:31] The system checks took: 4 minutes and 34 seconds
[19:20:31]
[19:20:31] Info: End date is Thu May 14 19:20:31 EDT 2020
mount /dev/sda2 /mnt
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mkdir /mnt/mounts
mount --rbind /mounts /mnt/mounts
chroot /mnt
grub2-install /dev/sda
exit
reboot
I also ran e2fsk on the drive.
I do not have to repair grub2 after a system reboot, just on a power up. I ran root kit hunter and it found 3 suspect files. These are script files and I am not sure if they are false positives. I am pasting my log files to this post. The first time it ran there were 3 suspect files reported, second time it ran it reports all good. The two log files are posted one log file after the other. The suspect files are:
/sbin/ifup
/usr/bin/ldd
usr/bin/chkconfig
I had to edit out the bulk of the reports so I could post it. The warnings are in the report.
Thank you for your time.
[12:11:12] Running Rootkit Hunter version 1.4.0 on linux-693r
[12:11:12]
[12:11:12] Info: Start date is Thu May 14 12:11:12 EDT 2020
[12:11:12]
[12:11:12] Checking configuration file and command-line options...
[12:11:12] Info: Detected operating system is 'Linux'
[12:11:12] Info: Uname output is 'Linux linux-693r 3.11.6-4-desktop #1 SMP PREEMPT Wed Oct 30 18:04:56 UTC 2013 (e6d4a27) x86_64 x86_64 x86_64 GNU/Linux'
[12:11:13] Info: Command line is /usr/bin/rkhunter --check
[12:11:13] Info: Environment shell is /bin/bash; rkhunter is using bash
[12:11:13] Info: Using configuration file '/etc/rkhunter.conf'
[12:11:13] Info: Installation directory is '/usr'
[12:11:13] Info: Using language 'en'
[12:11:13] Info: Using '/var/lib/rkhunter/db' as the database directory
[12:11:13] Info: Using '/usr/lib64/rkhunter/scripts' as the support script directory
[12:11:13] Info: Using '/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin' as the command directories
[12:11:13] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[12:11:13] Info: No mail-on-warning address configured
[12:11:13] Info: X will be automatically detected
[12:11:13] Info: Found the 'basename' command: /usr/bin/basename
[12:11:13] Info: Found the 'diff' command: /usr/bin/diff
[12:11:13] Info: Found the 'dirname' command: /usr/bin/dirname
[12:11:13] Info: Found the 'file' command: /usr/bin/file
[12:11:13] Info: Found the 'find' command: /usr/bin/find
[12:11:13] Info: Found the 'ifconfig' command: /sbin/ifconfig
[12:11:13] Info: Found the 'ip' command: /bin/ip
[12:11:13] Info: Found the 'ldd' command: /usr/bin/ldd
[12:11:13] Info: Found the 'lsattr' command: /usr/bin/lsattr
[12:11:13] Info: Found the 'lsmod' command: /bin/lsmod
[12:11:13] Info: Found the 'lsof' command: /usr/bin/lsof
[12:11:13] Info: Found the 'mktemp' command: /usr/bin/mktemp
[12:11:13] Info: Found the 'netstat' command: /bin/netstat
[12:11:13] Info: Found the 'perl' command: /usr/bin/perl
[12:11:13] Info: Found the 'pgrep' command: /usr/bin/pgrep
[12:11:13] Info: Found the 'ps' command: /usr/bin/ps
[12:11:13] Info: Found the 'pwd' command: /usr/bin/pwd
[12:11:13] Info: Found the 'readlink' command: /usr/bin/readlink
[12:11:13] Info: Found the 'stat' command: /usr/bin/stat
[12:11:14] Info: Found the 'strings' command: /usr/bin/strings
[12:11:14] Info: System is not using prelinking
[12:11:14] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[12:11:14] Info: The hash function field index is set to 1
[12:11:14] Info: Using package manager 'RPM' for file property checks
[12:11:14] Info: Found the 'rpm' command: /bin/rpm
[12:11:14] Info: Previous file attributes were stored
[12:11:14] Info: Enabled tests are: all
[12:11:14] Info: Disabled tests are: suspscan hidden_ports hidden_procs deleted_files packet_cap_apps
[12:11:14] Info: Including user files for file properties check:
[12:11:14] /etc/rkhunter.conf
[12:11:14] Info: Found ksym file '/proc/kallsyms'
[12:11:14] Info: Using 'date' to process epoch second times.
[12:11:14] Info: Locking is not being used
[12:11:14]
[12:11:14] Starting system checks...
[12:11:14]
[12:11:14] Info: Starting test name 'system_commands'
[12:11:14] Checking system commands...
[12:11:14]
[12:11:14] Info: Starting test name 'strings'
[12:11:14] Performing 'strings' command checks
[12:11:14] Scanning for string /usr/sbin/ntpsx [ OK ]
[12:11:14] Scanning for string /usr/sbin/.../bkit-ava [ OK ]
[12:11:14] Scanning for string /usr/sbin/.../bkit-d [ OK ]
[12:11:15] Scanning for string /usr/sbin/.../bkit-shd [ OK ]
[12:11:15] Scanning for string /usr/sbin/.../bkit-f [ OK ]
[12:11:15] Scanning for string /usr/include/.../proc.h [ OK ]
[12:11:15] Scanning for string /usr/include/.../.bash_history [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-get [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-dl [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-screen [ OK ]
[12:11:15] Scanning for string /usr/include/.../bkit-sleep [ OK ]
[12:11:15] Scanning for string /usr/lib/.../bkit-adore.o [ OK ]
[12:11:15] Scanning for string /usr/lib/.../ls [ OK ]
[12:11:15] Scanning for string /usr/lib/.../netstat [ OK ]
[12:11:15] Scanning for string /usr/lib/.../lsof [ OK ]
[12:11:15] Scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg [ OK ]
[12:11:45] /sbin/fsck [ OK ]
[12:11:45] /sbin/ifconfig [ OK ]
[12:11:45] /sbin/ifdown [ OK ]
[12:11:45] /sbin/ifstatus [ OK ]
[12:11:45] /sbin/ifup [ Warning ]
[12:11:45] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII text executable
[12:11:45] /sbin/init [ OK ]
[12:11:46] /sbin/insmod [ OK ]
[13:40:37] Info: Starting test name 'system_configs'
[13:40:37] Performing system configuration file checks
[13:40:37] Checking for SSH configuration file [ Found ]
[13:40:37] Info: Found SSH configuration file: /etc/ssh/sshd_config
[13:40:38] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
[13:40:38] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[13:40:38] Checking if SSH root access is allowed [ Warning ]
[13:40:38] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[13:40:38] Checking if SSH protocol v1 is allowed [ Warning ]
[13:40:38] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[13:40:38] Checking for running syslog daemon [ Found ]
[13:40:38] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[13:40:38] Checking for syslog configuration file [ Found ]
[13:40:38] Checking if syslog remote logging is allowed [ Not allowed ]
[13:40:38]
[13:40:38] Info: Starting test name 'filesystem'
[13:40:38] Performing filesystem checks
[13:40:38] Info: SCAN_MODE_DEV set to 'THOROUGH'
[13:40:39] Info: Found file '/dev/.sysconfig/network/ifup-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/if-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/config-lo': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/started': it is whitelisted.
[13:40:39] Info: Found file '/dev/.sysconfig/network/new-stamp-2': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-2445994891': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-2167102362': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-1026961346': it is whitelisted.
[13:40:39] Info: Found file '/dev/shm/pulse-shm-3381024706': it is whitelisted.
[13:40:39] Checking /dev for suspicious file types [ Warning ]
[13:40:39] Warning: Suspicious file types found in /dev:
[13:40:39] /dev/.sysconfig/network/if-enp5s0: ASCII text
[13:40:39] /dev/.sysconfig/network/ifup-enp5s0: ASCII text
[13:40:39] /dev/.sysconfig/network/config-enp5s0: ASCII text
[13:40:40] Info: Found hidden directory '/dev/.sysconfig': it is whitelisted.
[13:40:40] Checking for hidden files and directories [ Warning ]
[13:40:40] Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev'
[13:40:53]
[13:40:53] Info: Starting test name 'apps'
[13:40:53] Checking application versions...
[13:40:54] Info: Application 'exim' not found.
[13:40:54] Checking version of GnuPG [ OK ]
[13:40:54] Info: Application 'gpg' version '2.0.22' found.
[13:40:54] Info: Application 'httpd' not found.
[13:40:54] Info: Application 'named' not found.
[13:40:54] Checking version of OpenSSL [ OK ]
[13:40:54] Info: Application 'openssl' version '1.0.1e' found.
[13:40:54] Info: Application 'php' not found.
[13:40:54] Checking version of Procmail MTA [ OK ]
[13:40:54] Info: Application 'procmail' version '3.22' found.
[13:40:54] Info: Application 'proftpd' not found.
[13:40:54] Checking version of OpenSSH [ OK ]
[13:40:54] Info: Application 'sshd' version '6.2,' found.
[13:40:55] Info: Applications checked: 4 out of 9
[13:40:55]
[13:40:55] System checks summary
[13:40:55] =====================
[13:40:55]
[13:40:55] File properties checks...
[13:40:55] Required commands check failed
[13:40:55] Files checked: 181
[13:40:55] Suspect files: 3
[13:40:55]
[13:40:55] Rootkit checks...
[13:40:55] Rootkits checked : 306
[13:40:55] Possible rootkits: 0
[13:40:55]
[13:40:55] Applications checks...
[13:40:55] Applications checked: 4
[13:40:55] Suspect applications: 0
[13:40:55]
[13:40:55] The system checks took: 2 minutes and 55 seconds
[13:40:56]
[13:40:56] Info: End date is Thu May 14 13:40:55 EDT 2020
Next run of rootkit test check...........
[19:20:16]
[19:20:16] Performing checks on the network ports
[19:20:16] Info: Starting test name 'ports'
[19:20:16] Performing check for backdoor ports
[19:20:17] Checking for TCP port 1524 [ Not found ]
[19:20:17] Checking for TCP port 1984 [ Not found ]
[19:20:17] Checking for UDP port 2001 [ Not found ]
[19:20:17] Checking for TCP port 2006 [ Not found ]
[19:20:17] Checking for TCP port 2128 [ Not found ]
[19:20:18] Checking for TCP port 6666 [ Not found ]
[19:20:18] Checking for TCP port 6667 [ Not found ]
[19:20:18] Checking for TCP port 6668 [ Not found ]
[19:20:18] Checking for TCP port 6669 [ Not found ]
[19:20:18] Checking for TCP port 7000 [ Not found ]
[19:20:19] Checking for TCP port 13000 [ Not found ]
[19:20:19] Checking for TCP port 14856 [ Not found ]
[19:20:19] Checking for TCP port 25000 [ Not found ]
[19:20:19] Checking for TCP port 29812 [ Not found ]
[19:20:19] Checking for TCP port 31337 [ Not found ]
[19:20:20] Checking for TCP port 32982 [ Not found ]
[19:20:20] Checking for TCP port 33369 [ Not found ]
[19:20:20] Checking for TCP port 47107 [ Not found ]
[19:20:20] Checking for TCP port 47018 [ Not found ]
[19:20:20] Checking for TCP port 60922 [ Not found ]
[19:20:21] Checking for TCP port 62883 [ Not found ]
[19:20:21] Checking for TCP port 65535 [ Not found ]
[19:20:21] Checking for backdoor ports [ None found ]
[19:20:21]
[19:20:21] Info: Test 'hidden_ports' disabled at users request.
[19:20:21]
[19:20:21] Performing checks on the network interfaces
[19:20:21] Info: Starting test name 'promisc'
[19:20:21] Checking for promiscuous interfaces [ None found ]
[19:20:21]
[19:20:21] Info: Test 'packet_cap_apps' disabled at users request.
[19:20:21]
[19:20:21] Info: Starting test name 'local_host'
[19:20:21] Checking the local host...
[19:20:22]
[19:20:22] Info: Starting test name 'startup_files'
[19:20:22] Performing system boot checks
[19:20:22] Checking for local host name [ Found ]
[19:20:22]
[19:20:22] Info: Starting test name 'startup_malware'
[19:20:22] Checking for system startup files [ Found ]
[19:20:25] Checking system startup files for malware [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'group_accounts'
[19:20:25] Performing group and account checks
[19:20:25] Checking for passwd file [ Found ]
[19:20:25] Info: Found password file: /etc/passwd
[19:20:25] Checking for root equivalent (UID 0) accounts [ None found ]
[19:20:25] Info: Found shadow file: /etc/shadow
[19:20:25] Checking for passwordless accounts [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'passwd_changes'
[19:20:25] Checking for passwd file changes [ None found ]
[19:20:25]
[19:20:25] Info: Starting test name 'group_changes'
[19:20:25] Checking for group file changes [ None found ]
[19:20:26] Checking root account shell history files [ OK ]
[19:20:26]
[19:20:26] Info: Starting test name 'system_configs'
[19:20:26] Performing system configuration file checks
[19:20:26] Checking for SSH configuration file [ Found ]
[19:20:26] Info: Found SSH configuration file: /etc/ssh/sshd_config
[19:20:26] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'yes'.
[19:20:26] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[19:20:26] Checking if SSH root access is allowed [ Warning ]
[19:20:26] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[19:20:26] Checking if SSH protocol v1 is allowed [ Warning ]
[19:20:26] Warning: The SSH configuration option 'Protocol' has not been set.
The default value may be '2,1', to allow the use of protocol version 1.
[19:20:26] Checking for running syslog daemon [ Found ]
[19:20:26] Info: Found rsyslog configuration file: /etc/rsyslog.conf
[19:20:27] Checking for syslog configuration file [ Found ]
[19:20:27] Checking if syslog remote logging is allowed [ Not allowed ]
[19:20:27]
[19:20:27] Info: Starting test name 'filesystem'
[19:20:27] Performing filesystem checks
[19:20:27] Info: SCAN_MODE_DEV set to 'THOROUGH'
[19:20:27] Info: Found file '/dev/.sysconfig/network/ifup-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/if-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/config-lo': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/started': it is whitelisted.
[19:20:27] Info: Found file '/dev/.sysconfig/network/new-stamp-2': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-945268521': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-3889263875': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-1133244443': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-779620220': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-2167102362': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-1026961346': it is whitelisted.
[19:20:28] Info: Found file '/dev/shm/pulse-shm-3381024706': it is whitelisted.
[19:20:28] Checking /dev for suspicious file types [ Warning ]
[19:20:28] Warning: Suspicious file types found in /dev:
[19:20:28] /dev/.sysconfig/network/if-enp5s0: ASCII text
[19:20:28] /dev/.sysconfig/network/ifup-enp5s0: ASCII text
[19:20:28] /dev/.sysconfig/network/config-enp5s0: ASCII text
[19:20:29] Info: Found hidden directory '/dev/.sysconfig': it is whitelisted.
[19:20:29] Checking for hidden files and directories [ Warning ]
[19:20:29] Warning: Hidden file found: /dev/.udev: symbolic link to `/run/udev'
[19:20:29]
[19:20:29] Info: Starting test name 'apps'
[19:20:29] Checking application versions...
[19:20:30] Info: Application 'exim' not found.
[19:20:30] Checking version of GnuPG [ OK ]
[19:20:30] Info: Application 'gpg' version '2.0.22' found.
[19:20:30] Info: Application 'httpd' not found.
[19:20:30] Info: Application 'named' not found.
[19:20:30] Checking version of OpenSSL [ OK ]
[19:20:30] Info: Application 'openssl' version '1.0.1e' found.
[19:20:30] Info: Application 'php' not found.
[19:20:30] Checking version of Procmail MTA [ OK ]
[19:20:30] Info: Application 'procmail' version '3.22' found.
[19:20:31] Info: Application 'proftpd' not found.
[19:20:31] Checking version of OpenSSH [ OK ]
[19:20:31] Info: Application 'sshd' version '6.2,' found.
[19:20:31] Info: Applications checked: 4 out of 9
[19:20:31]
[19:20:31] System checks summary
[19:20:31] =====================
[19:20:31]
[19:20:31] File properties checks...
[19:20:31] Files checked: 181
[19:20:31] Suspect files: 0
[19:20:31]
[19:20:31] Rootkit checks...
[19:20:31] Rootkits checked : 306
[19:20:31] Possible rootkits: 0
[19:20:31]
[19:20:31] Applications checks...
[19:20:31] Applications checked: 4
[19:20:31] Suspect applications: 0
[19:20:31]
[19:20:31] The system checks took: 4 minutes and 34 seconds
[19:20:31]
[19:20:31] Info: End date is Thu May 14 19:20:31 EDT 2020